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Abstract 

The ideal BB84 quantum key distribution protocol is based on the 
preparation and measurement of qubits in two alternative bases dif- 
fering by an angle of 7r/2. Any real implementation of the protocol, 
though, will inevitably introduce errors in the preparation of the states 
and in the alignment of the measurement bases with respect to this 
ideal situation. We illustrate the effects of such errors on the security 
of the BB84 protocol in the case of individual attacks, where necessary 
and sufficient conditions for security are known. Though the effects of 
these errors are small for expected deviations from the perfect situa- 
tion, our results nevertheless show that Alice and Bob can incorrectly 
conclude that they have established a secure key if the inevitable ex- 
perimental errors in the state preparation and in the alignment of the 
measurements are not taken into account. This gives further weight 
to the idea that the formulation and security analysis of any quantum 
cryptography protocol should be based on realistic assumptions about 
the properties of the apparatus used. 



1 Introduction 

The use of quantum systems to accomplish cryptographic tasks promises lev- 
els of security unachievable with any classical system. With these benefits, 
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however, comes an added difficulty. Unlike classical protocols intended for 
execution on a digital computing device and whose security is purely based 
on the mathematical properties of the device's outputs, quantum protocols 
make use of analogue systems and their security is intrinsically physical: it 
depends on the fact that device's output was obtained by measuring, e.g., 
the polarisation of a single photon along well defined orientations. Devia- 
tions from the ideal situation, which are an all-or-nothing affair in a digital 
algorithm and can typically be eliminated with some very large probability, 
therefore become inevitable to some degree in quantum protocols. 

The BB84 protocol [IJ for quantum key distribution [21 [3], for instance, 
requires that one party ('Alice') prepares and sends a sequence of ran- 
dom qubits taken from the set {\ipbm)}, where the indices b,m £ {0,1} 
can be interpreted as a choice of basis and bit, respectively. The other 
party ('Bob') then randomly measures each qubit he receives in one of two 
bases {|</'oo)5 1'/'oi)} or {|0io), I'/'ii)}- In its ideal formulation, the states 
{\ipbo), l^fei)} prepared by Alice are supposed to form a basis and therefore 
to be orthogonal, 

{^bo\i'bi)=0 for 6 = 0,1. (1) 

Furthermore, the two bases on Alice's and on Bob's sides are supposed to 
differ exactly by an angle of vr/2, i.e., to satisfy the relation^ 

iV'io) = ^[|V'oo) + |V'oi>] , (2a) 
|V'ii) = ;^[lV'oi)-|V'oo>], (2b) 



and 



^10/ 

Hi) 



^[|0oo) + |<Aoi)] , (3a) 
;^[l0oi)-|<Aoo)]. (3b) 



While existing security proofs for BB84 can deal with an arbitrary noise in 
the quantum channel from Alice to Bob, they usually assume that the states 
prepared by Alice and that the measurements performed by Bob satisfy 
precisely the conditions ([TJ, ([2]), and ([3]). In a realistic execution of the 
protocol, however, experimental errors are inevitable. For instance, the 
measurement of a polarisation qubit cannot be more precise than 2° or 4° 
(on the Bloch sphere) due to the intrinsic uncertainty of the polarisation 
rotator used. Such imperfections may allow an eavesdropper to gain more 
information about the shared key than existing security proofs would imply. 



^In addition, in the ideal formulation of the BB84 protocol, the bases on Alice's and 
Bob's side are usually taken to be perfectly aligned, i.e., |i/'6m) = \4'bm)- But any mis- 
alignment between the two bases can always be absorbed in the unitary transformations 
performed by Eve on the states emitted by Alice and thus has no incidence on the security 
of the protocol. 
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Here we illustrate the effects that imperfections in the preparation of the 
states and in the alignment of the measurement bases could have on the 
performance of quantum cryptography protocols, using the BB84 protocol 
as our example. For simplicity, we consider the case where the states emitted 
by Alice still form two orthonormal bases as in ([1]) . (Any deviation from ([1]) 
can only reinforce the effects of imperfections that we illustrate here.) We 
suppose, however, that Alice's preparation and Bob's measurement bases 
are not exactly mutually unbiased, but that they differ by angles a and /3, 
respectively, different from 7r/2. That is, we suppose instead of ^ and ^ 
that 



It is clear that such errors will in general reduce the security of BB84. 
For example, in the extreme case where the two bases accidentally coincide 
(a,/? = 0), an eavesdropper could perfectly clone the states sent by Alice 
without revealing her presence. Using a combination of analytical techniques 
and numerical optimisation, we demonstrate here more generally a reduction 
in the extractable secret keyrate of the BB84 protocol against individual 
attacks, for a given quantum bit error rate (QBER), when a,/3 / vr/2. 

We restrict our analysis to individual attacks because, contrarily to more 
general types of attacks, necessary and sufficient conditions for security are 
known in this case. It therefore follows that the reduction in the keyrate that 
we observe here is genuine and is not an artefact of a suboptimal security 
proof, as could have been the case had we performed our analysis for more 
general attacks. It is reasonable to expect, though, that our findings are not 
specific to individual attacks, but that similar results hold in full generality. 

Though the reduction in the keyrate that we observe is small for devia- 
tions from the ideal situation expected in realistic implementations, our 
results nevertheless show that Alice and Bob can erroneously conclude that 
they have established a secure key if the inevitable experimental errors in 
the alignment of the bases are not taken into account. This gives further 
weight to the idea that the formulation and security analysis of any quantum 
cryptography protocol should be based on realistic assumptions about the 
properties of the apparatus used. 

This conclusion goes in a similar direction as that which can be drawn from 
the recent weaknesses discovered in certain QKD implementations, such as 




(4a) 
(4b) 



and 




(5b) 
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[11[5]. Note though that our work has a very different perspective. Indeed, 
contrary to [U [5] , our results do not uncover an implementation flaw in an 
otherwise theoretically secure scheme - a flaw which could therefore be fixed 
purely at the implementation level. The message that we want to convey 
here is rather than in any trusted and "secure" QKD implementation, uncer- 
tainties in the preparation of the quantum states and in the alignment of the 
measurement bases will inevitably be present and may affect the security. 
These uncertainties must therefore be accounted for at a theoretical level 
either by adapting the security proof or by moving to device-independent 
[6l[7j or semi-device-independent schemes j8l [9l [TO]. 

We note that proofs of security of BB84 have been proposed that relax 
conditions fl]) and [llj, conditions Q [12], conditions P and pi [TH]. 
and also that take into account certain particular modifications of all three 
conditions ([T]), in the context of collective attacks [H]. To our 

knowledge, however, there is no known general security proof that deals 
with arbitrary violations of all three conditions ([1]), ([2|), ([3]); and if one 
exists it is not used in practical implementations of BB84 The main 

aim of this paper is to draw attention to this issue. 

The present work originates from a loose collaboration with the authors of 
[16\ \n\ . who along similar lines have explored the effect of imperfections 
in the alignment of measurement bases on the characterisation of quantum 
resources through quantum state tomography and entanglement witnesses. 

Our results are presented in more detail in section [2l technical details are 
deferred to section [31 



2 Results 

2.1 Problem definition 

We begin by briefly recounting the BB84 protocol. As recalled above, one 
party (Alice) prepares random qubits from the set {IV'bm)}; and transmits 
them to a second party (Bob). Bob then measures each qubits that he 
receives in one of two bases {\(j)bo)i {(pbi)}, randomly choosing between 6 = 
and 6 = 1 each time, and stores the results. After discarding the cases where 
the choices of basis do not match, Alice and Bob share a so-called "sifted 
key", with Bob's version of the key likely containing errors compared with 
Alice's. By sacrificing a part of the sifted key, Alice and Bob can estimate 
the quantum bit error rate (QBER) Q, which is defined in terms of the 
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observed coincidence rates p^^\m,n) of Alice sending a state encoding bit 
m and Bob measuring n, given basis b. Assuming that the QBER is the 
same in both bases, it can be defined as 

Q = -2 (p^'^(o,i)+p(')(i,o)). (6) 

Following this, error correction and privacy amplification are applied. In the 
case of one-way communication from Alice to Bob, the asymptotic keyrate 
secure against individual attacks is given by the Csiszar-Korner bound |18j : 

r = I{A:B)- I{A : E) , (7) 

where I{A : B) denotes the mutual information between Alice and Bob and 
I{A : E) between Alice and Eve. We recall that, in the case of individual 
attacks, Eve performs the same unitary attack on each of Alice's qubits, but 
is allowed to possess a quantum memory and can delay her measurements 
on the states in her possession until after the bases are revealed. Fuchs et 
al. show in [19] that the highest secure asymptotic keyrate, under conditions 
(HI), 05 dSI) is given in terms of Q by 

r = h{^-^Q{l-Q))-h{Q), (8) 

where h is the binary entropy function. 

Our task is to minimise the expression ([7]) for a given QBER Q using the 
preparation and measurement bases defined by and ([5]) rather than the 
ideal ones. To simplify the analysis we will assume that the errors observed 
between Alice and Bob are symmetric, i.e. 

p(o)(o,l) =p(0)(l,0) =pW(0,l) =p(i)(l,0). (9) 

Given our assumptions about the symmetries in the errors observed by Alice 
and Bob, I{A : B) is a simple function of Q: 

I{A:B) = 2-h{Q). (10) 

In general there need not be such symmetries in the joint probabilities 
p^^{m,q) shared between Alice and Eve, and I{A : E) is accordingly more 
complicated. In each basis it will be convenient to parameterise these quan- 
tities in terms of an error Qae analogous to the QBER, and an offset 5^^^: 



pi>,0) = i(l-QfJ,-5W), (11a) 

pJJ,(0,l) = i(Qj), + 5W), (lib) 

p(f),(l,0) = i(QfJ,-5W), (11c) 

pS(l,l) = i(l-Qf), + 5W). (lid) 
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The inverse relations are = p^l^{0, 1) +p^^{l, 0) and 5^''^ = p^l^{0, 1) — 
pj^g(l,0). The mutual information between Alice and Eve is given by 

I{A:E) = 1 + ^ (/(°) {A:E) + /(^^ {A : E)) , (12) 

where I^'^^A : E) is the mutual information in a single basis, determined by 
the joint probabilities p^g(m, n). 

We present results for the numerical optimisation of this problem in the 
next subsection. Details of the parameterisation and techniques employed 
are deferred to section [3l 



2.2 Optimisation results 

In numerically evaluating the keyrate, it generally seems to be the case, as 
one might expect, that the minimal keyrate is found for a unitary interaction 
that gives Eve symmetric information about the bits in Alice's possession. In 
terms of the parameterisation introduced at the end of the previous section, 
this is the case where 5^^^ = 5^^^ = and Q^E ~ Qae = Qae- The keyrate 
is then a simple function of Q and Qaf.'- 

r = HQae) - HQ) . (13) 

Supported by a few test cases, this simplification was applied in the results 
we now present. (Note that even if Eve's optimal attack does not generally 
satisfy this symmetry, our results still represent an upper bound on the 
secure keyrate, which conclusively shows that Eve can gain information by 
exploiting preparation and measurement imperfections with respect to the 
ideal case.) 

Fig. [1] is a plot of the optimised keyrate as a function of Q for a few fixed 
values oi a = j3 = 6. The values of 6 used are 90° (the ideal case), 80°, 
and 70°. The latter two are the worst case scenarios if there are absolute 
experimental errors of respectively 5° and 10° on the orientations of the 
bases both used by Alice and measured by Bob. That is, if Alice and Bob 
know, say, that their devices are accurate to within five degrees, i.e., 80° < 
a,j3 < 90°, then the worst keyrate that we have found corresponds to the 
situation a = (3 = 6 = 80°. The worst case scenario is thus that the largest 
possible error on the orientation of the devices is systematic. 

Fig. [2] is a plot of the minimised keyrate as a function of the deviation 
5e = 6 - t:/2 from the ideal case, for QBERs of l/4Qo, l/2Qo, and 3/4Qo, 
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Figure 1: Variation of keyrate with QBER for 6* = 90°, 80°, and 70°, corre- 
sponding to the worst case scenarios for errors of 0°, 5°, and 10° respectively. 




Figure 2: Variation of keyrate with angle 6g = 9 — tt/2, for Q = 1/4 Qo, 
1/2 Qo) and 3/4 Qo) where Qo « 0.1464 is the upper secure bound on the 
QBER. 




Figure 3: Maximum secure QBER as a function oi 5q = 9 — tt /2. 



where Qq = \- \^/2 w 0.1464 is the maximum tolerable QBER in the ideal 
case. 

Finally, Fig. [3]is a plot of the upper secure bound on the QBER as a function 
of the deviation 5q = — tt /2. 



2.3 Discussion 



Assuming that Alice and Bob observe errors that are symmetric, according 
to dH]), using a combination of analytical and numerical techniques we have 
determined upper bounds on the keyrate for preparation and measurement 
devices characterised by the misalignment angles a and (3 defined in @ and 
([5]). As soon as a,/3 7^ vr/2, we find that these upper bounds are lower 
than the optimal keyrate ([5]) for a given QBER, therefore showing that 
imperfections in the preparation and measurement devices can be exploited 
by an eavesdropper if they are not taken into account in the security proof. 

The upper bounds that we have obtained correspond to the best individual 
attack that is symmetric, i.e., that satisfies 5^^^ = (5^^) = and = 

Q^^E = Qae- We have numerically verified in a few test cases that the best 
overall individual attack satisfies this symmetry condition. We thus expect 
our upper bounds on the keyrate to actually correspond to the optimal 
keyrates in the presence of imperfections of the type we consider. 

If Alice and Bob know that their devices are accurate to within a given 
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precision 6$, they should assume, for the purpose of proving security, that 
their devices are characterised by the angles a and /3 compatible with this 
precision that yield the worst case keyrate. We verified in a few test cases 
that this happens for the smallest angles a and /3 consistent with the set 
error, at least in the case where the set error is the same on Alice's and 
Bob's devices. It is for this reason that the above figures are plotted for 
values of the angles satisfying a = l3 = 9 = n/2 — Sg. 

All the results that we have presented here were obtained for the case where 
both bases are used to establish the secret key. One may also consider the 
variant of BB84 in which only one basis is used to generate the key [20] . In 
the ideal case, this results in a keyrate that is asymptotically twice as high, as 
the sifting step where half of the results are discarded is no longer necessary. 
We have also adapted our analysis to this situation and have found that 
for high QBERs the two-basis protocol results in a higher keyrate than the 
single-basis one, suggesting that the former is more robust against alignment 
errors. 

Finally, we remind the reader that throughout our analysis, we have assumed 
that the states prepared by Alice define a basis, i.e., satisfy ([1]). Relaxing 
this condition could only strengthen the effects of imperfections observed 
here. 



3 Technical details 

3.1 Eve's interaction 

The model applied here is a straightforward adaptation of the one considered 
in [19] , In the worst case scenario the eavesdropper (Eve) has replaced the 
quantum channel between Alice and Bob with a lossless channel, before 
appending an ancilla to the state sent by Alice and applying a unitary 
operation with the intent of cloning the communication. We express the 
interaction as 




(14a) 
(14b) 




in the basis 6 = 0, and similarly 






(15b) 
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in the basis b = 1, where the states ai^e states in the Hilbert space 

T-Lb ® T^E accessible to Bob and Eve. Linearity of the unitary interaction 
impUes that these states obey the same relations as {\ipbx)}- Specifically, 

l^-io) = cos(f )|^oo) + sin(f )|^'oi) , (16a) 
l^-ii) = cos(f )|^oi> - sin(f )|^'oo> . (16b) 

In order to parameterise the interaction, we set 

l^oo) = |<Aoo)(|a> + \b)) + \M{\c) + \d)) (17a) 

l^oi) = \M{\a) - \b)) + \ct>oo)i\c) - \d)) (17b) 

and 

l^io) = \<Pio){\a) + + |0ii)(|c') + \d')) , (18a) 

\^n) = \Mi\a') - \b')) + |0io)(|c') - Id')) , (18b) 

where \a) , \ b) , \ c) , \d) £ He are (not necessarily normalised) states accessible 
to Eve whose "metric" 'jij = {i\j), i,j £ {a,b,c,d} completely define Eve's 
interaction. Combining ()17p and ()18p with ()16p and ([5]), we extract the 
relations 

\a') = cos(A)|a) + sin(A)|d) , (19a) 
\d') = cos(A)|d) - sin(A)|a) (19b) 



and 



where we have set 



\b') = cos{0)\b) + sin(e)|c) , (20a) 
|c') = cos(^)|c) -sin(0)|6), (20b) 



— a , , 

A = , (21a) 



2 

(3 + a 



(21b) 



The problem now is to identify the metric ^ij which will maximise the infor- 
mation Eve is able to gain about Alice's raw key. Note that this information 
also depends on the measurements Eve performs on her part of the states 
she shares with Bob. In general these will be POVMs which are allowed to 
depend on the basis (since we allow Eve to possess a quantum memory). We 
can the POVM elements and F^, where b G {0, 1} and + Fbi = 1. 
As will be explained in the next subsection, we will be able to eliminate the 
explicit appearance of the POVM elements in our optimisation problem. 



10 



3.2 Eve's quantum error 



As stated in the introduction to this section, we wish to minimise the ex- 
tractable secret keyrate, which involves maximising the mutual information 
I [A : E). As a stepping stone to optimising this quantity we will consider 
the QBER in Eve's inference of Alice's bits, Qae, first introduced in sec- 
tion [H in ()lip . Working in a single basis b for now, this quantity is given 

by 

Q!fJ:=rfk0,l)+rfkl>0). (22) 

In general I^^\A : E) depends on both this error and the asymmetry 

5^^^ also introduced in (jlip . and is an increasing function as approaches 
1/2 for fixed 5^'^\ Rather than attempting to directly optimise the mutual 

information in terms of and 5^^^ , we instead turn our attention to the 
combination 

Qfl(e) = (1 + e)pf^{0, 1) + (1 - .)pJJ,(l, 0) . (23) 
In terms of and 6^^^ this is 

Qjk^) = QJU ^^^'^ • (24) 

Optimising this quantity yields a 6^^^ , dependent on the weighting parameter 
e, and an optimal given 5^. By varying e one may hope to sweep the 

range of values of 6'^^^ and obtain a profile of minimised Q^E ^ function of 
6^^\ The motivation for this approach becomes apparent when we express 
^ae(^) terms of Eve's probe and POVM elements. 

In terms of Eve's interaction and measurement, 

pfl{0,l) = hT^[pboFM] (25a) 
Pae(I'O) = iTr[pwFM], (25b) 

where pbx = TrB[\'^bx){^bx\], Tre is the partial trace over T-Ib, and F^z are 
POVM elements which sum to unity for each basis. Substituting into (|23p 
and using that F^i = 1 — F^o , we obtain 

QaU^) = hi^ + ^)-h Tr[((pw - Pbi) + e{pbo + Pbi))Fbo] ■ (26) 

This expression is minimised by taking for Fho a projector which selects the 
positive eigenvalue part of the operator in the trace (the Helstrom bound). 
The result of optimising over Eve's measurement is 

QaU^) = k - lUpbo - Pbl) + i^ipbo + Pbl)\\i , (27) 
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where for an arbitrary matrix ||M||i = Tr[(M^M)^/^]. This replaces the 
expHcit appearance of Eve's POVM with an eigenvalue problem, leaving 
only an optimisation over Eve's interaction. Note that this would not be 
possible if we instead attempted to optimise Q^e fixed S^'^^ , since in that 
case the POVM element F^o would appear explicitly in the constraint as 
well as in the expression to optimise. 



Using 6 = as an example, we now describe how we approach the problem 
of maximising and how we extract the corresponding values of 
and S^'^\ In terms of the four states |a), |c) and \d) introduced earlier in 
order to parameterise the probe. 



Upoo - Poi) = \a){b\ + \b){a\ + \c){d\ + \d){c\ , 
Upoo + Poi) = \a){a\ + \b){b\ + \c){c\ + \d){d\ . 



(28a) 
(28b) 



In general our problem is to extract the eigenvalues of an operator A given 
its decomposition 

A = A'^\i){j\ (29) 

in terms of the states \ i e {a, b, c, d}} (where we adopt the convention 
of summing over repeated indices). Explicitly decomposing a vector \u) on 
the same basis as \u) = u^\i), the action of ^ on \u) is 



A\u) =A'^\i){j\u''\k) 
= A'^-fjku''\i)- 



(30) 
(31) 



It is not difficult to see that determining the eigenvalues and eigenstates of A 
is equivalent to determining the eigenvalues and eigenvectors of the matrix 
AT, where A = (Aij) and T = (jij). (This remains true even in the case 
where the vectors are not linearly independent.) The matrix whose 

eigenvalues we wish to determine may be expressed as D + eT, where 



D 



'iba 


62 


Ibc 


Idc 




lab 


lae 


lad 




Idb 


Ide 




lea 


Icb 


c2 


led 


-0? 


lab 


lae 


lad 


Iba 




Ibc 


Ide 


lea 


Icb 


c2 


led 


.Ida 


Idb 


Idc 


d^ 



(32) 



(33) 



and = laa, and so on. Let the eigenvalues of this matrix be {Xp} and the 
corresponding (not necessarily normalised) eigenvectors be {vp}, such that 



{D + eT)vp 



XpVp . 



(34) 
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In terms of the set of eigenvectors, the operator Fqq has the expression 

where \vp) = Vp\i), i £ {a, b, c, d} and the sum is over the indices p for which 
Xp > 0. Using this and that the \vp) are orthogonal, we obtain a matrix 
expression for the trace of an arbitrary operator A multiphed by F^q: 



{Vp\Vp) 

Y_'J^. (36) 

Ap>0 



The exphcit expressions for qJ'J and S'^^^ are 



Qfl = i-^'^ (37) 

<^(°)=i-5:^. (38) 



With and f^*^") determined, we have an optimised value of I^^\A : E) 
for fixed 5^^\ and all that remains is to optimise I^^\A : E) over e. 

Finally, the generalisation when we consider two bases is straightforward: 
we will approach the optimisation of I{A : E) by introducing three weighting 
parameters eoi £ii and e, instead of one, optimising the quantity 

QAE(eo,ei,e) = i(l + e)Qi°J,(eo) + 5(1 - e)Q^^^{ei) , (39) 
and then optimising I{A : E) over (eo,£i,e)- 



3.3 Inherent QBER 



All that remains now, before being able to optimise ()39p over all of Eve's 
possible unitary interactions, is to determine the full set of constraints on 
the metric 7ij, since not all metrics will represent a unitary interaction, and 
to determine the relationship between the metrics 7,^ and 7^^- in the two 
bases (which depends only on the angles 9 and A). This is done in the next 
subsection. Before this, we demonstrate that there is a minimum nonzero 
QBER if a / /3 (in which case Alice and Bob's bases cannot be perfectly 
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aligned) . This is easily verified by expressing the QBER Q in terms of a ba- 
sis {|0'), |1')} intermediate between {|^'oo), l^oi)} and {l^'io), l^ii)}, and a 
basis {|0), |1)} midway between {|0oo)) I'/'oi)} and {|</>io), I'/'ii)}- Specifically, 

|0') = cos(f )|^'oo) + sin(f )|v&oi> , (40a) 
= cos(f )|^'oi) - sin(f )|M'oo) , (40b) 



and 



|0) = cos(f)|(/.oo) + sin(f)|</<oi), (41a) 
|1) =cos(f)|0oi)-sin(f)|0oo). (41b) 



Setting 



and 



S, = |0')(0'|-|1')(1'I (42a) 
S, = |0')(1'| + |1'>(0'| (42b) 

a, = |0)(0|-|1)(1| (43a) 
a, = |0)(1| + |1)(0|, (43b) 

then with this choice of basis the expression we find for the quantum error 
is 

Q = i - i cos(f ) cos (f ) Tr [S,(ct, ® 1e)] 

-isin(f)sin(f)Tr[S,(a,®lE)] • (44) 

Clearly, -2 < Tr [^^(cj^ ® 1e)] < 2 and -2 < Tr[Sx.(cr^ ® 1e)] < 2, and we 
find the bound 

Q>\ - ^max{|cos(A)|,|cos(e)|}, (45) 

with A and defined as in ()2ip (this bound is also saturated, e.g. if Eve does 
not interfere with the channel, in which case Ti^^x = <^z,x)- The corresponding 
upper bound is 

Q<\ + ^max{|cos(A)|,|cos(e)|}. (46) 



3.4 Transformation and constraints 

We now determine the full set of constraints on the metric elements 7jj. 
First, we impose that the QBER is fixed at Q. This combined with (^'ool^oo) ■ 
(*oi|^oi) = 1, imposes 

a2 + 6^ = 1 - g , (47a) 
(? + d^ = Q, (47b) 
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and Re[7a6] = Re[7cd] = 0, with analogous constraints for the basis 6=1. 
The components -^ab-, lac-, Ibd, led transform between the two bases according 
to 

7^6 = cos(A) cos(6')7af, + cos(A) sin(6')7ac 

+ sin(A) cos(6')7d6 + sin(A) cos{e)-^dc , (48a) 

7^c = cos(A) cos(6')7ac - cos(A) sin(6')7a6 

+ sin(A) cos{e)-fdc - sin(A) sm{9)-fdb , (48b) 

I'db = cos(A) cos(6l)7rfb + cos(A) sin(6l)7dc 

- sin(A) cos(6')7afe - sin(A) sin(6')7ac , (48c) 
Idc = cos(A) cos(6l)7rfc - cos(A) sin(6')7rfb 

- sin(A) cos(0)7ac + sin(A) sm{B)-fab ■ (48d) 

For a more compact representation, the transformation matrix from [lab, lac, Idb, Idc]'^ 
to [lab, lac, I'db^ I'dcf can be expressed as 

cos(A) sin(A) 
-sin(A) cos(A) 

(j48ap and ()48dp together with the constraint Re[7a6] = Re[7c(i] = imply 
Re[7ac] = Re [7m] = 0. 



cos{9) sin(0) 
- sin(6') cos{9) 



(49) 



For a' and d' , we find 

= cos(A)2a2 + sm{Af(f + sin(2A) Re[7ad] , (50a) 

= cos(A)2d2 + sin(A)2a2 - sin(2A) Re[7ad] , (50b) 

from which we immediately see that a'^ + d'^ = -\- d?. From ()50p . and 
taking the real and imaginary parts of 

7^^ = -i sin(2A)(a2 - d^) + cos(A)27,rf - sm{Af^aa , (51) 

we find 

5'ad = cosi2A)5ad + sin(2A) Re[-fad] , (52a) 

Ml'ad] = cos(2A) Re[-fad] - sin(2A)5,d , (52b) 

Im[7ad] = Im[7ad] , (52c) 

where 5ad = ^^-^ ■ Similarly, 6'^ + c'^ = 6^ + and 

4 = cos{2e)6bc + sm{29) Re[-fbc] , (53a) 

ReKJ = cos(2e) Re[7fee] - sin(20) 5;,^ , (53b) 

ImKc] = Imbfcc] , (53c) 



15 



with 6bc = — Orthogonality of l^'oo) and l^'oi) imphes Im[7{,c] = Im[7arf]. 
We still require a'^ < 1 — Q and d'^ < Q individually, which impose 

cos{Afa'^ + sm{Afd'^ + sin(2A) Rei'jad] < 1 - Q , (54a) 
cos(A)2(i2 + sin(A)2a2 - sin(2A) Rei'jad] < Q ■ (54b) 

(|54ap is automatically satisfied, in the sense that there are no new restric- 
tions on a^, cP, or Re[7arf], if Q > | — ^|cos(A)|. ()54bp is automatically 
satisfied if Q < ^ + ^|cos(A)|. Similarly, we automatically have b'^ < I — Q 
and c/^ < Q as long as ^ — ^|cos(6')| < Q < ^ + ^|cos(6')|. 

Finally, using a'^ + 6'^ = + 6^ and c'^ + d'^ = + d^, we obtain the 
constraint 

sin(2A)Re[7ad] + sin(20)Re[7fec] = sm{Af {a^ - cP) + sm{e)^ {b'^ - c^) . (55) 
3.5 Optimisation 

The plots given in Figs. [1] and [2] were generated by numerically maximising 
Qae = Qae{£o = £i = e = 0), defined by equation ([39]) . using Matlab's 
f mincon routine, over all metrics 7jj respecting the constraints derived in the 
preceding subsection for the reported angles 9 and values of Qab and with 
A = 0, and calculating the corresponding value of I {A : E). For simplicity, 
we performed no systematic optimisation over {eq , ei , e) . Optimising over 
{eQ^ei,e) in a few test cases generally supported our expectation that the 
minimal keyrate would be obtained for the maximal value of Qae with a 
symmetric attack {6^^^ = 6^^^ = and = Q^e)- Similarly, investigating 
test cases generally found that the minimal keyrate, given a common error 
bound on the deviation of a and /3 from 90°, was obtained by setting both 
to the worst case such that a = (3 = and A = 0. As a result, the keyrates 
given in section 12.21 are an upper bound on the secure keyrate (which is 
sufficient to demonstrate a degradation in performance) which we believe 
are very likely the optimal keyrates. 

The maximum tolerable QBERs reported in Fig. [3] are those for which Q = 
Qae for the angles 9 considered, again with A = 0. 

In addition to the keyrates reported in section 12.21 we also similarly inves- 
tigated the case in which only one basis is used to generate the key, by 
maximising only Q^E- ^^^^ case, the resulting keyrates (not accounting 
for sifting) are lower than those obtained for the case in which both bases 
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are used, for the same parameters. This suggests that implementations of 
BB84 in which both bases are used to generate the key are Hkely to be more 
robust against implementation errors, as we alluded to in section 12.31 
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